Comment on page
CanaRy
This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.
- 1.
BUF_SIZE
is 32 bytes so offset by'a'*32
since canary will be next in stack - 2.
- 3.
- 4.Offset after canary determined using
cyclic(24)
andcyclic_find()
withpython2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln
locally to get offset as'a'*16
. - 5.Last 1.5 bytes of
display_flag
function determined withreadelf -s vuln
- 6.First byte found with gdb by placing a breakpoint at
vuln
and running which gotBreakpoint 1, 0x56622a14 in main ()
and more importantly the first byte0x56
- 7.Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and
p32
frompwntools
is used to convert to little endian - 8.Run bruteforce-pie.py on shell server by pasting
bruteforce_pie
function (after runningfrom pwn import *
) into python terminal and then runningprint bruteforce_pie()
- 9.Flag will appear in a few minutes
- 10.If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)
picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}
Last modified 2yr ago